diff options
| author | Alan Conway <aconway@apache.org> | 2011-12-06 15:56:40 +0000 |
|---|---|---|
| committer | Alan Conway <aconway@apache.org> | 2011-12-06 15:56:40 +0000 |
| commit | 50083a9b6553d832856bc7d402dd186f74d80254 (patch) | |
| tree | b6b0c097cd643e51b7c1615e6b2f8c2aca850efa /cpp/src/qpid/broker/SemanticState.cpp | |
| parent | efd035d01dd87dd146f3fc6aacabc8c28b10316d (diff) | |
| download | qpid-python-50083a9b6553d832856bc7d402dd186f74d80254.tar.gz | |
QPID-3652: Fix cluster authentication.
Only allow brokers that authenticate as the cluster-username to join a cluster.
New broker first connects to a cluster broker authenticates as the cluster-username
and sends its CPG member ID to the qpid.cluster-credentials exchange.
The cluster broker that subsequently acts as updater verifies that the credentials are
valid before connecting to give the update.
NOTE 1: If you are using an ACL, the cluster-username must be allowed to
publish to the qpid.cluster-credentials exchange. E.g. in your ACL file:
acl allow foo@QPID publish exchange name=qpid.cluster-credentials
NOTE 2: This changes the cluster initialization protocol, you will
need to restart the cluster with all new version brokers.
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1210989 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'cpp/src/qpid/broker/SemanticState.cpp')
| -rw-r--r-- | cpp/src/qpid/broker/SemanticState.cpp | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/cpp/src/qpid/broker/SemanticState.cpp b/cpp/src/qpid/broker/SemanticState.cpp index aa1face18d..0956501e76 100644 --- a/cpp/src/qpid/broker/SemanticState.cpp +++ b/cpp/src/qpid/broker/SemanticState.cpp @@ -72,8 +72,6 @@ SemanticState::SemanticState(DeliveryAdapter& da, SessionContext& ss) dtxSelected(false), authMsg(getSession().getBroker().getOptions().auth && !getSession().getConnection().isUserProxyAuth()), userID(getSession().getConnection().getUserId()), - userName(getSession().getConnection().getUserId().substr(0,getSession().getConnection().getUserId().find('@'))), - isDefaultRealm(userID.find('@') != std::string::npos && getSession().getBroker().getOptions().realm == userID.substr(userID.find('@')+1,userID.size())), closeComplete(false) {} @@ -467,7 +465,7 @@ void SemanticState::route(intrusive_ptr<Message> msg, Deliverable& strategy) { /* verify the userid if specified: */ std::string id = msg->hasProperties<MessageProperties>() ? msg->getProperties<MessageProperties>()->getUserId() : nullstring; - if (authMsg && !id.empty() && !(id == userID || (isDefaultRealm && id == userName))) + if (authMsg && !id.empty() && !session.getConnection().isAuthenticatedUser(id)) { QPID_LOG(debug, "authorised user id : " << userID << " but user id in message declared as " << id); throw UnauthorizedAccessException(QPID_MSG("authorised user id : " << userID << " but user id in message declared as " << id)); |